On Mon, 19 Jul 1999, Robin Becker wrote:
I'm fairly sure I agree with 99% of your reply. It may be that Zope is secure; it's certainly too large for me to verify easily. As you say the net connection is insecure; this was almost always the case for unix That depends upon your security policy. Just remove telnetd from inetd.conf, forbid nonanonymous ftp logins, and don't use POP3 with login accounts. Actually, in our case, with the exception of the root account (and the nonroot account of the root), no login accounts carry any passwords. Only way to access the box for priviledged users (meaning they DO have login access) is by providing the correct private ssh key. style logins. I quite like the validation approach of the monitor which again allows direct access to everything. If as you assert the net is insecure then I merely have to spy out a root password or two or get But you don't spy out root passwords nowadays. And if you do, the admin in question deserves all the bullshit that will come his way :)
There are at least the following ``free'' ways to protect against Internet sniffers: -) ssh1. -) telnet-ssl. -) vpnd.
admin privileges or whatever. I intended no criticism of the zope security model other than 1) the passwords are in a meaningfully named file, 2) the file is unencrypted and 3) there is a standard initial manager login and password. These are not serious holes, but would get you shown the door by the more paranoid. ad 3) Ok, changing the standard superuser password is natural. Perhaps it should be random generated. ad 2) Well Zope security works on a different level. Having access to the files constituting the Zope installation is equivalent to being the super user of this installation. Differently put, Zope users are ``subusers'' of the Unix Zope super user (the uid used to run Zope). ad 1) see 2.
OK I give up. Given the Monitor I can get at the source of any module so I can edit/replace etc. This allows remote internals management without breaking the Zope security policy. Again, Monitor access is equivalent with Unix login level access. The shell just happens to be called python, not /bin/sh ;)
Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.